Security Weekly News 4 March 2011 – Full List

Category Index

Hacking Incidents / Cybercrime

 
Four British men sentenced for their part in the largest cyber crime forum ever discovered
The UK founder of the infamous GhostMarket.net cyber crime forum has been convicted along with three others of computer offences linked to the running of the largest English language site of its kind ever discovered.
Nicholas Webber, 19, has been jailed for five and a half years, after being arrested in October 2009 while trying to pay for a London hotel room with stolen credit card details.
The police subsequently found more than 130,000 compromised credit card numbers on PCs belonging to Webber and co-defendants Ryan Thomas, Gary Paul Kelly and Ricardo Shakira.
 
Blog host WordPress.com was the target of a distributed denial-of-service (DDoS) attack earlier today described by the company as the largest in its history.
As a result, a number of blogs–including those that are a part of WordPress’ VIP service–suffered connectivity issues. That includes the Financial Post, the National Post, TechCrunch, along with the service’s nearly 18 million hosted blogs.
According to a post by Automattic employee Sara Rosso on the company’s VIP Lobby (which had been down at the time of the attacks, though was archived by Graham Cluley over at Naked Security), the size of the attack reached ‘multiple Gigabits per second and tens of millions of packets per second.’ Rosso had also said putting a stop to the attack was ‘proving rather difficult.’
 
The numbers could have been better for the Alexa Top 100K Sites. This problem extends well beyond the Alexa top site listings, but we wanted to put into perspective that this is a widely spread problem affecting even the most popular of sites.
Just in the last 6 months, more than 1% of the top 1 million sites (according to Alexa) were blacklisted by Google. That’s a total of 10,494 sites.
 
LONG BEACH, California (AFP) – A German computer security expert said Thursday he believes the United States and Israel’s Mossad unleashed the malicious Stuxnet worm on Iran’s nuclear program.
‘My opinion is that the Mossad is involved,’ Ralph Langner said while discussing his in-depth Stuxnet analysis at a prestigious TED conference in the Southern California city of Long Beach.
‘But, the leading source is not Israel… There is only one leading source, and that is the United States.’
 
Mac OS X backdoor Trojan, now in beta?  [nakedsecurity.sophos.com]
It appears there is a new backdoor Trojan in town and it targets users of Mac OS X. As even the malware itself admits, it is not yet finished, but it could be indicative of more underground programmers taking note of Apple’s increasing market share.
SophosLabs analyzed the sample we received and determined that it is a variant of a well-known Remote Access Trojan (RAT) for Windows known as darkComet.
 
ChronoPay’s Scareware Diaries  [krebsonsecurity.com]
If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments.
Tens of thousands of documents stolen and leaked last year from ChronoPay offer a fascinating look into a company that has artfully cultivated and handsomely profited from the market for scareware, programs that infiltrate victim PCs to display fake security alerts in a bid to frighten users into paying for worthless security software.
 
Trying to explain Anonymous is a hopeless undertaking – as a first approximation you can view them as a group of anonymous internet activists. Anonymous has recently come to the public’s attention through its support for WikilLeaks, which resulted in it overloading and bringing down the main web sites of PayPal, MasterCard and Swiss bank Postfinanz.
 
‘Dude, where’s my SSL?’
Actor Ashton Kutcher’s more than 6.4 million Twitter followers yesterday got a firsthand look at what can happen when your Twitter account gets hijacked — and by a security activist who wanted to make a point:
‘Ashton, you’ve been Punk’d. This account is not secure. Dude, where’s my SSL?’
Kutcher, who is among the glitterati this week attending the TED (Technology Entertainment and Design) Conference in Long Beach, Calif. — which includes big-name speakers such as Bill Gates; Bill Ford, CEO of Ford Motor Co.; and, from the security industry, security consultant Ralph Langner, best-known for his analysis of Stuxnet — appears to have fallen victim to a cookie-jacking incident.

Unpatched Vulnerabilities

 
As reported on the users list [1], both Tomcat 7.0.8 and the latest
Tomcat 7 code from svn appear to ignore @ServletSecurity annotations.
Assuming this issue is confirmed, it may lead to authentication bypass
and information disclosure.
The exact details are still being investigated but this e-mail is being
provided to give users early warning of this public issue.
If code changes are required to address this, they will be included in
the next release of Tomcat 7, 7.0.10. The release process for 7.0.10 is
expected to start once the investigation of this issue is complete.

Software Updates

 
Microsoft is announcing the availability of updates to the Autorun feature that help to restrict AutoPlay functionality to only CD and DVD media on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Restricting AutoPlay functionality to only CD and DVD media can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a USB flash drive, network shares, or other non-CD and non-DVD media containing a file system with an Autorun.inf file.
 
Firefox 3.6.14 released  [www.mozilla.org]
Fixed in Firefox 3.6.14
MFSA 2011-10 CSRF risk with plugins and 307 redirects
MFSA 2011-09 Crash caused by corrupted JPEG image
MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents
MFSA 2011-07 Memory corruption during text run construction (Windows)
MFSA 2011-06 Use-after-free error using Web Workers
MFSA 2011-05 Buffer overflow in JavaScript atom map
MFSA 2011-04 Buffer overflow in JavaScript upvarMap
MFSA 2011-03 Use-after-free error in JSON.stringify
MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true
MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)
 
 
 
— CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
— Affected Vendors:
Postgres
— Affected Products:
Postgres Plus SQL
— Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Postgres Plus Advanced Server DBA Management
Server. Authentication is not required to exploit this vulnerability.
 
The Wireshark developers have announced the release of version 1.2.15 and 1.4.4 of their open source, cross-platform network protocol analyser; maintenance updates address two highly critical security vulnerabilities that could cause the application to crash.
 
Foxit Software has announced the release of version 4.3.1.0218 of its PDF Reader product, a maintenance update that addresses a ‘highly critical’ security vulnerability. According to Foxit, the patch corrects an issue that could, when opening a specially crafted document, cause an integer overflow error when processing specific ICC profiles, in turn leading to a heap-based buffer overflow. This could be used, for example, by an attacker to compromise a user’s system by terminating the application or executing arbitrary code.
 
Chrome 9.0.597.107 released  [googlechromereleases.blogspot.com]
 
Thunderbird 3.1.8 released  [www.mozilla.org]
Fixed in Thunderbird 3.1.8
MFSA 2011-09 Crash caused by corrupted JPEG image
MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents
MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)
 
New avast! Free:  [www.avast.com]
6.0 reasons to give your old antivirus the boot
While industry testing shows that avast! Free version 5.0 handily beats most paid-for antivirus products, AVAST Software is pushing the envelope even further with the new avast! 6.0 – launching today.
“With our new avast! 6.0 Free Antivirus, we’ve added advanced capabilities that aren’t in any mainstream AV product. Once again, we are providing a free antivirus that often exceeds the protection offered by other paid-for products,” said Vince Steckler, CEO of AVAST Software. “In these tight economic times, there is no reason for people to keep paying for the overpriced AV that they have on their computers.”
There are six good reasons why computer users should remove the original antivirus on their computers and install the new avast! Free Antivirus 6.0.
 
Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS), authentication bypass
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX OpenSSL. This vulnerability could be exploited
remotely to execute arbitrary code or create a Denial of Service (DoS) or an authentication bypass.
 
Today, as part of our usual monthly bulletin cadence, we are providing our Advance Notification Service for March’s security bulletins. This month we’ll release three bulletins, one of them rated Critical and two rated Important, addressing issues in Microsoft Windows and Office. We’ll close four vulnerabilities with those bulletins.
The bulletin release is once again slated for the second Tuesday of the month — March 8th at 10:00 a.m. PST. Come back to this blog then for our official risk and impact analysis, as well as deployment guidance and a brief video overview of the month’s highlights.

Business Case for Security

 
There are add-ons, VPNs, and apps galore that offer a safer browsing experience-but the browser you use, and the sites you visit, offer strong but simple security tools, too. Here are the best of the no-hassle, no-install-required options that you should be using now.
 
Security is Frustrating  [pauldotcom.com]
Dave explores the reasons why people do things, like MAC address filtering and hiding their SSID instead of using strong passwords. We see this happen a lot in the corporate world too, people implement security that is easy, not what works. Seems to me that there needs to be a shift of focus. Let’s focus on the hard stuff, like passwords, authentication, physical security, client security, and other stuff that I have probably told people they need to do. Yet, we keep marching down the Firewall/IDS/IPS/Anti-Virus route. Dave brings up two more great points: People think they don’t have to defend against the best hacker’s in the world, yet the best hackers in the world create tools that people use. Secondly, he questions why we are doing things backwards, as in using simple passwords but implementing hidden SSIDs and MAC filtering.
 
New IBM report highlights shift in endpoint security within the enterprise
A new IBM report found that more than 70 percent of organizations are allowing nontraditional endpoint devices — think smartphones, iPads, and point-of-sale devices — to connect to their corporate networks, but some 36 percent say these devices aren’t properly secured.
 
IC3 received more than 300,000 complaints in 2010 — second-most ever
Online crime was up again in 2010, hitting its second-highest numbers of the past decade, according to a report issued by federal law enforcement authorities yesterday.
According to the ‘2010 Internet Crime Report,’ the Internet Crime Complaint Center (IC3) received 303,809 complaints of Internet crime in 2010, the second-most in its 10-year history.
IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). Since its creation in 2000, IC3 has received more than 2 million Internet crime complaints.
 
the German Federal government adopted a draft law revising certain sector-specific data protection provisions in the German Telecommunications Act. The draft law addresses the implementation of data breach notification requirements in the European e-Privacy Directive by introducing a breach notification obligation for telecommunications companies.

Web Technologies

 
Agnitio v1.2 released today  [www.securityninja.co.uk]
I wanted to start today’s blog post by saying thank you to everyone who has downloaded Agnitio so far! Agnitio has been downloaded 1250 times since I released v1.0 104 days ago and with people still downloading both v1.0 and v1.1 nearly everyday that number continues to rise! I must admit that when I first released Agnitio I was worried that no one would download and use it, building isn’t as sexy as breaking in information security and the same applies to the tools. Agnitio isn’t ever going to be a metasploit or SET, you can’t pop boxes with it but it will hopefully help you find and fix vulnerabilities in your web applications.
 
Filed under DoS, java, php
Originally posted as Taming the Beast
The recent multi-language numerical parsing DOS bug has been named the ‘Mark of the Beast’. Some claim that this bug was first reported as early as 2001.This is a significant bug in (at least) PHP and Java. Similar issues have effected Ruby in the past. This bug has left a number of servers, web frameworks and custom web applications vulnerable to easily exploitable Denial of Service. Oracle has patched this vuln but there are several non-Oracle JVM’s that have yet to release a patch. Tactical patching may be prudent for environment.
Here are three approaches that may help you tame this beast of a bug.
 
Awesome XSS challenge  [sla.ckers.org]
Can you do it?
 
To be honest, I was a little confused by this week’s patch. There are several XSS bugs in this code. Originally, the vulnerable code would take a tainted $_REQUEST value (a value from a GET, POST, or cookie) and assign the tainted value to a couple of different PHP variables ($description and $notes in particular). The application then uses of these tainted values on lines 136 and 140, resulting in XSS. The developer addressed these XSS issues by html encoding the $_REQUEST values before assigning them to PHP variables. In the code mentioned above, the developer decided to encode/sanitize at the point of assignment (as opposed to the point of consumption). There are differing perspectives as to whether one should encode/sanitize upon assignment or consumption, but the truth is both methods work.
 
Spot the Vuln – Character  [software-security.sans.org]
 
 
The Web Tracking Protection specification is designed to enable users to opt-out of online tracking. The platform has two parts:
Filter lists, which can enforce user privacy preferences by preventing the user agent from making unwanted requests to webservers that track users.
A user preference, which is an HTTP header and a DOM property, to be used by webservers to respect the user’s privacy.
Together these technologies can be used to enforce privacy protection for users, and provide access to content and services that respect user privacy preferences.

Network Security

 
The plot? As usual:
A Linux server was possibly compromised and a forensic analysis is required in order to understand what really happened. Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge.
Are you up to the challenge? All details are here
 
Poor man’s DLP solution  [isc.sans.edu]
Although I have been fortunate to work with a company that handles large amounts of money and time to implement the security solutions typically get the latest technology solution, we also have companies that do not handle the same amount of money due to profit margin business in which they are located and therefore there is a greater rationale for the investment of monetary resources in those projects that are vital to the operation of the company.
A risk that materializes more frequently in companies is the leaking of information and one of the most common ways to steal over the Internet is through various forms such as emails and file transfers. That means we need to have a sensor that is responsible for monitoring the Internet traffic inbound and outbound. To determine your position, we will outline a two firewall DMZ and place a snort sensor in the middle using linux and configured in bridge mode.
 
TUESDAY, MARCH 1, 2011 AT 3:40PM
Constant connections and odd binaries running on systems usually get caught pretty quickly in CCDC events. However, NFS exports are hardly ever noticed. Setting it up on an Ubuntu/Debian box is a snap and given the right directory and permissions can lead you right back to getting shell any time you want without a constant connection. Plus, NFS blends right in and can listen on TCP and/or UDP (2049)
 
TUESDAY, MARCH 1, 2011 AT 2:38PM
CORRECTION:
Thanks to jduck for pointing it out, but you need to actually make a change to get this to work, reference: http://www.catonmat.net/blog/the-definitive-guide-to-bash-command-line-history/ and search for: Modifying History Behavior

Mobile Security

 
Google needs a secure sandbox
SOFTWARE DEVELOPER Google has been caught out by lax security design in its Android operating system as highly aggressive malware has been discovered on the Android Market.
At least 21 applications were found to have malware that rooted Android devices without the user’s consent, sent IMEI and IMSI numbers, product IDs, model, partner, language, country and user IDs. Most worrying of all was the ability for the rogue applications to download code and run it.
 
As seen in recent blog postings, Android malware is on the rise. Android.Pjapps is another example of a Trojan with back door capabilities that targets Android devices. As seen with previous Android threats, it is spreading through compromised versions of legitimate applications, available on unregulated third-party Android marketplaces.
We have detected a few applications carrying Android.Pjapps code. One of these applications is Steamy Window. Similar to other compromised Android applications, it is difficult to differentiate the legitimate version from the malicious one once it is installed. However, during installation it is possible to identify the malicious version by the excessive permissions it requests. The images below show the installation process of a clean Steam Window application and a malicious one.

Cryptography

 
NIST SHA-3 News  [www.schneier.com]
NIST has finally published its rationale for selecting the five finalists.

Privacy

 
Talk about Big Brother! Every Beijing mobile phone user will be tracked through the use of the latest global positioning technology, the municipal government announced on Tuesday.
The project, called the Information Platform of Real-time Citizen Movement, aims to watch over more than 20 million people in Beijing 24 hours a day, local media said yesterday. Wherever you are – whether in the bathroom, on the subway or in Tiananmen Square – the government will know.
Wireless communication experts said the system would be particularly useful not only for following the whereabouts of individuals but also in detecting any unusual gathering of a large number of people.
 
The Web Tracking Protection specification is designed to enable users to opt-out of online tracking. The platform has two parts:
Filter lists, which can enforce user privacy preferences by preventing the user agent from making unwanted requests to webservers that track users.
A user preference, which is an HTTP header and a DOM property, to be used by webservers to respect the user’s privacy.
Together these technologies can be used to enforce privacy protection for users, and provide access to content and services that respect user privacy preferences.

Funny / Odd

 
 
Safety | Pic | # 1  [www.sec-track.com]
 
 
 
One man has captured every install of Windows from 1.0 through to 7 and shared it with the world via YouTube.
The video details install processes and the UI for each version of Windows over the past 25 years and most importantly the upgrade process. The only exception is Windows ME, missing as you can only upgrade to ME or 2000 and not both. The video creator, Andrew Tait, used VMWare to install each version and started by installing MS-DOS 5.0 to prepare for the Windows 1.0 installation. Monkey Island and Doom 2 are both installed to test upgrade compatibility throughout the years.